[Wireshark-dev] Help finding the link layer dissector call (netmon_802_11)

2021-02-16 Thread Shai Shapira via Wireshark-dev 

Hi all,


I'm researching Microsoft's Network Monitor captures format (.cap files) and I 
need a lead in WS's code.
Based on the 'link layer type' parsed from the file header the packets might be 
802.11 frames with NM's special header.
This dissector is known as "netmon_802_11" in wireshark.


It is the first protocol in every frame's stack and it's registration routine is directly 
to the "wtap_encap" table like so:

dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE_802_11_NETMON, 
netmon_802_11_handle);


(from packet-ieee80211-netmon.c)


Could someone point me to the functoin where the actual 'call_dissector' or 
'call_dissector_with_data' is happening for the inital layer?
Also, is that dependent on the file format we are parsing (pcap/pcapmg/cap) or 
is there a single function all eventually get to?




Thank you,
Shai___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Parsing openflow

2018-08-15 Thread Shai Shapira 
Hey Avi
The syntax you need to use in TShark’s -e option is the same one you’d use in 
the filter in Wireshark.
An easy way to find what that would be is by clicking the field you want to 
export and 
look in the status bar in Wireshark, the value in the brackets will be the 
filter.
Example for a field in SSL:


Good luck

From: Avi Cohen (A)
Sent: Wednesday, August 15, 2018 17:08
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Parsing openflow

Hi Dario

I can easily create a file with the  packets headers as a columns (the original 
headers of a pkt e.g eth ip tcp etc..)  – but I need the TCP payload fields 
(which are the flow headers) 
For example I need to the surrounded fields in the picture below (or in the 
attached png), something like  tshark –T fileds –e OpenFlow.of_match.eth_src 
This is probably incorrect  syntax because it is not generate the required 
filed columns 
Best Regards
Avi







From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of 
Dario Lombardo
Sent: Tuesday, 14 August, 2018 2:50 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Parsing openflow

Hi Avi
Have a look at tshark and its -E and -e options. That could do the job.

On Tue, Aug 14, 2018 at 1:19 PM Avi Cohen (A)  wrote:
Hi 
I need to capture open-flow msgs  (e.g FLOW_MOD to add new flows) from 
controller to vSwitch , 
And to generate e.g.  a *file* which its rows are the captured flows and its  
columns  are the flow header fields e.g. column 1 source-mac , column 2 
dest-mac  , column 3 source-IP etc..  - whenever a field is not relevant I can 
set the fields as  (don't care)
Also the action (actions)  should be put in a column   
I need this file as an input to an algorithm that should manipulate these flows 
?

My question can I use the wireshark  pkg for this purpose ? if yes what is the 
recommended way   ?

Best Regards
Avi 
___
Sent via:    Wireshark-dev mailing list 
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



-- 
Naima is online.

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] usbpcap no longer recognized in 2.9

2018-07-14 Thread Shai Shapira 
Hey all
I noticed today I couldn't get Wireshark to show the usbpcap interface in
the latest master build.
I'm quite positive this is because of the new addition to the way extcaps
are interacted with, specificly (from README.extcap):
"
Since Wireshark 2.9 this call is extended with --extcap-version x.x, which
will
allways represent the calling wireshark's version information. This can be
used
to change behavior depending on the wireshark version in question
"
I tried calling usbpcap's executable (USBPcapCMD.exe) with the new
--extcap-version
option and it returns this output:
"
USBPcapCMD.exe: --extcap-version: unknown option
"

While this is something that should be solved at usbpcap side, since
Wireshark ships with the the latest usbpcap version (which doesn't support
this option) in the installer, this might confuse the users.
My suggestion is either
1. Allow backward compatibility (calling the all extcaps which do not
response 'nicely' to "--extcap-interfaces --extcap-version=2.9" with the
old "--extcap-interfaces" args list)
2. Remove the usbpcap from the (NSIS) installer until a version which
supports this option exists
What do you guys think?

Side note 1:
I have already opened an issue on usbpcap's GitHub page:
https://github.com/desowin/usbpcap/issues/51
Side note 2:
There seems to be a misalignment between wireshark and README.extcap. The
README says the new options' syntax is
"--extcap-version x.x"
and even provides an example but in my tests wireshark uses
"--extcap-version*=*x.x". I'm assuming one of them is a mistake and should
be fixed.

Cheers
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] How to get calling dissector

2018-01-30 Thread Shai Shapira 
I believe there's another possible approach here:
Register the dissector once with proto_register_protocol (as usual), which
assumed caller is TCP
register another dissection function (for SMP) using
create_dissector_handle_with_name called something like "smp.tds"
than look for this name when retrieving the dissector handle in the TDS
dissector

This means you should have 2 'entry point' functions to your dissector (usually
there's only one dissect_PROTO).
This way by writing different dissection/payload handling code in those two
functions you can react differently to different calling protocols (tcp
calls will trigger the first function, TDS will trigger the second etc)


2018-01-29 21:26 GMT+02:00 Uli Heilmeier :

> Thanks a lot Roland.
>
> Now that I know what to look for packet-sip.c gives a nice example.
>
> Cheers
> Uli
>
> Am 29.01.18 um 18:03 schrieb Roland Knall:
> > Short answer: packet_info->layers should get you the list of protocols
> called before yours. If you iterate, you should
> > see the other protocols before yours. In packet.c:754 you see the code
> adding to the list.
> >
> > Not sure though, how stable that interface is. It is pretty in-depth for
> span, so you should be save to use it, but not
> > sure, if it is official, or if there is another way.
> >
> > cheers
> > Roland
> >
> > On Sun, Jan 28, 2018 at 10:59 PM, Uli Heilmeier  > wrote:
> >
> > Hi all,
> >
> > TL,DR:
> > How does a dissector know which dissector called it?
> >
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe